Remove Headers
| Item | Description |
|---|---|
| Full Fuzzer Name | RemoveHeadersFuzzer |
| Log Key | RH |
| Description | This fuzzer will remove headers in different combinations. The expectation is that APIs will reject the request as invalid if required headers are removed. |
| Enabled by default? | Yes |
| Target header types | All |
| Expected result when fuzzed header is required | 4XX |
| Expected result when fuzzed header is optional | 2XX |
| Fuzzing logic | Iteratively removes headers in different combinations. The fuzzer will compute the power set of the headers set and remove each combination. |
| Conditions when this fuzzer will be skipped | None |
| HTTP methods that will be skipped | None |
| Reporting | Reports error if: 1. response code is 404; 2. response code is documented, but not expected; 3. any unexpected exception. Reports warn if: 1. response code is expected and documented, but not matches response schema; 2. response code is expected, but not documented; 3. response code is 501. Reports success if: 1. response code is expected, documented and matches response schema. |
tip
When the RemoveHeadersFuzzer is running any security header mentioned in the headers.yml or supplied via -H will be added to the requests.